Senators offer bill to boost security of internet-connected devices
A bipartisan group of senators unveiled legislation Tuesday to bring more security to internet-connected devices, often referred to as the “internet of things.”
Sens. Mark Warner (D-Va.), Steve Daines (R-Mont.), Cory Gardner (R-Colo.) and Ron Wyden (D-Ore.) introduced the “Internet of Things Cybersecurity Improvement Act of 2017.”
“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Warner in a statement announcing the bill.
“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices,” he added.
Internet-connected devices raise a number of problems in cybersecurity. Hackers can take over vast arrays of connected devices and synchronize them to overwhelm a targeted server with requests, knocking it offline – an attack known as a distributed denial of service. This kind of attack felled a critical internet switchboard in October of last year, briefly knocking sites from Twitter to The New York Times offline.
Hackers can also use internet-connected devices, including baby monitors and talking dolls, to snoop on their users or to converse directly with them without permission. In some cases, hackers can cause real-world damage by sabotaging the device.
The bill would limit government purchases of internet-connected devices to those meeting minimal security standards, require agencies to catalog internet-connected devices in their possession and tweak copyright laws to allow researchers to check device security, provided they responsibly disclose their findings. The bill would also call for the Office of Management and Budget to develop security standards for devices lacking the technological resources to be as big a threat and for the NSA to develop standards for researchers to contact government contractors with security flaws found in their products.
Many devices are currently not updatable, meaning they can never patch security flaws.
Researchers have lobbied for a change to copyright laws for many years, noting that it stifles needed security testing. The 20-year-old Digital Millennium Copyright Act (DMCA) prohibits anyone from circumventing technology copyright protections even for reasons that would not violate a copyright. That means internet-connected devices that take any measure to protect the coding of a machine can never have that coding audited by a researcher.
The Library of Congress, which has authority on granting exemptions to the DMCA, exempted a handful of devices for research purposes, including voting machines.
The bill has racked up endorsements from prominent security, internet and privacy researchers, including Harvard’s Jonathan Zittrain and Bruce Schneier; industry executives, including Jeff Greene, senior director of global government affairs and policy at Symantec; and leaders at digital liberties groups, including Michelle Richardson, deputy director of the Freedom, Security and Technology Project at Center for Democracy and Technology.
“Poor cyber hygiene represents a public health issue — and even threat to human life,” reads a testimonial from Josh Corman, director of the Atlantic Council’s Cyber Statecraft Initiative and creator of the internet of things security advocacy group “I am the Cavalry.”
“It is encouraging to see what the federal government can do to raise the bar,” he said.